PGP Keyserver is a product aimed primarily for storage and retrieval of public keys. It acts both as HTTP and LDAP server for this purpose. Web Console is the Web-based portion of the software that gives administrators the ability to remotely monitor and manage their PGP Keyserver. There exist several security flaws in the Web Console system that can allow an attacker to gain full control of server configuration.

Taking advantage of console's configuration functionalities an attacker is able to read and overwrite almost any file on the system. Carefully overwriting files could also allow an intruder to run arbitrary commands on the server.

*Vulnerable Packages/Systems*

- PGP Keyserver 7.0 for Windows NT/2000

- PGP Keyserver 7.0 for Solaris

*Solution/Vendor Information/Workaround*

A simple solution to the authentication problem is to reconfigure the Apache server editing the httpd.conf file located at (SERVER ROOT PATH)\Web\conf\httpd.conf, setting proper restrictions to the "/cgi-bin" directory.

The access to the file system through the console is a design problem that would not be dangerous if a secure authentication were used.

The Web Console system is implemented over an Apache Web Server, it uses SSL encryption protocol and listens, by default, on the standard HTTPS port 443.

The default authentication method used is "Basic HTTP authentication", this means that the web browser will ask for an username and password to allow access to the console. Looking at the file configuration portion below we will notice that the access restrictions are applied over the CGI files, but due to the format used to write the rule it could be easily bypassed.

The file will be written when any event happens, you can read the content and restore the configuration. You can use these steps to read the password file ".allowed-admin" where the admin username and password hash are stored, that could be brute forced (SHA1/base64).